Abstract: Examples disclosed herein relate to a method for defining an ingress access policy at an ingress network device based on instructions from an egress network device. The egress network device receives data packets directed to a first entity from a second entity connected to an ingress network device. Each data packet transmitted includes a source role tag corresponding to the second entity. At the egress network device, the data packets may be dropped based on the enforcement of an egress access policy. When the number of data packets that are being dropped increases beyond a pre-defined threshold, the egress network device transmits a command to the ingress network device instructing the ingress network device to create a restriction on the transmission of subsequent data packets. The command is transmitted in a Border Gateway Protocol (BGP) Flow Specification (FlowSpec) route.

Abstract: A system, a method, and a computer program are provided for securely isolating access by one or more users in a group of network users to an enterprise network implementing Multi-Protocol Label Switching (MPLS). The security system includes an MPLS Layer-3 VPN (L3VPN) instance created for a group of users to be isolated, and a remote and mobile enterprise access (RMEA) gateway with secure socket layer virtual private network (SSL-VPN) and two-factor user authentication capabilities. A de-militarized zone (DMZ) is positioned in the network to security scan data traffic between the L3VPN and RMEA gateway. The security protocol involves two-factor user authentication and establishing, on top of the L3VPN instance, an SSL-VPN session between the user and the RMEA gateway, which provides the authorized user access to the network. Additionally, data traffic to/from the user is routed through the RMEA and the DMZ.

Abstract: This document describes techniques for expanding user groups while preserving user privacy and data security. In one aspect, a method includes receiving, by a content platform and from a client device of a user, a request for a digital component that also includes a user identifier. A determination is made that the user identifier is included in a user list that includes multiple user identifiers respectively corresponding to multiple users in a user action group. In response to determining that the unique identifier is included in the user list, a digital component of the entity for which the user list is generated is selected and provided to the client device of the user for display to the user of the client device.

Abstract: A modification to an applied ruleset intended for consumption by intrusion detection systems (IDSs) is detected. A service event that is configured to push the applied ruleset to a set of test network sensors associated with the IDSs is triggered. A service subscribed to the service event updates the set of test network sensors with the applied ruleset and designates a configuration version to the applied ruleset. A notification is received from the set of test network sensors that the applied ruleset has been tested and is ready for deployment to other network sensors and a request is received to deploy the applied ruleset to a set of network sensors. A determination is made whether the request includes the configuration version designated to the applied ruleset by the service. If the request includes the configuration version designated to the applied ruleset, the request to deploy the applied ruleset to the set of network sensors is authorized.

Abstract: A pattern detector circuit is provided in a security chip, wherein the pattern detector circuit monitors accesses of a plurality of configuration registers, each of the plurality of configuration registers having a corresponding address. In response to receiving from a host a predefined sequence of accesses of the plurality of configuration registers for one or more operations to the plurality of configuration registers, a processor in the pattern detector circuit determines a value indicative of a current version of a netlist for the security chip. The determined value is made available to be obtained by a read operation by the host at a specific configuration register address.

Abstract: Automatic preparation of data related to session initiation protocol (SIP) based traffic flows in a lawful interception (LI) scenario is disclosed. The dataset that is obtained may, e.g., be used for machine learning-based (ML) and artificial intelligence (AI) tools that can identify lawfully intercepted SIP-based traffic cases. Such preparation of data reduces the 5 risk of misunderstandings between a communications service provider (CSP) and a law enforcement agency (LEA), which reduces the time dedicated by both parties in understanding the correctness of LI data provided by the CSP to the LEA.

Abstract: Disclosed examples include accessing a search term from a client device; accessing a first identifier, the first identifier corresponding to a first database proprietor, the first identifier to access first user information corresponding to a user of the client device; accessing a second identifier, the second identifier corresponding to a second database proprietor, the second identifier to access second user information corresponding to the user of the client device; providing the search term, the first identifier, and the second identifier in a message; and transmitting the message to a server.

Abstract: According to various embodiments, a cryptographic processing device is described comprising a processor configured to determine a masking component, generate a masked version of a secret first element by masking multiple components of the secret first element with the masking component, determine a first share of the product of the secret first element and a second element by multiplying the second element with the masked version of the secret first element, determine a second share of the product of the secret first element and the second element by multiplying the second element with the difference of the secret first element and the masked version of the secret first element and continue with a lattice-based cryptography operation using the first share and the second share of the product.

Abstract: A named function network (NFN) system includes a routing node, a function generation node, and a server node. The routing node receives requests for new functions, the requests including data values for generating the new functions. The function generation node receives the data values from the routing node and generates a new function for the NFN using the data values. The server node receives a request from the routing node to execute the new function, executes the new function, and transmits results of the execution to the routing node.

Abstract: Systems and methods for determining network topology by implementing the security parameter index (“SPI”) to map network nodes that are behind a network address translation (“NAT”) address are disclosed.

Abstract: A blockchain-based network security system is a decentralized anti-attack network constructed by means of blockchain. The anti-attack network includes a blockchain network system and a server system wherein both system are disposed independently and the data link between them is connected via a switch. A plurality of block nodes in the blockchain network system are provided with anti-attack servers, and each anti-attack server is provided with at least one sub-server. When the sub-server of the anti-attack server encounters an abnormal access event, the path information in the access event is loaded into the blockchain network system via the switch connected to the anti-attack server. In one example, the path information in the abnormal access event is loaded into the blockchain network system for distributed processing so as to prevent the resource depletion of the anti-attack server in which the attacked sub-server is located.

Abstract: Techniques are described for providing software developers with secure software project development environments via cloud-based or locally installed integrated development environments (IDEs). A cloud provider network provides a project development environment policy service that enables users to configure project development environment policies associated with various software projects and to deploy configured policies to users' project development environments as appropriate. A project development environment policy can include rules related to monitoring and controlling version control system actions, monitoring the content of project source code pushed to version control repositories, among other software project governance-related configurations.

Abstract: One example of a system comprises using a processor for identifying a model to be validated that is stored in a repository; automatically computing and recording one or more model metrics for the model to be validated in a tamper-proof manner; comparing the computed tamper-proof metrics with one or more encoded rules and policies to determine if the model to be validated complies with the one or more encoded rules and policies; and outputting a notification to a device indicating a validation status of the model to be validated based on the comparison of the computed tamper-proof metrics with the one or more encoded rules and policies.

Abstract: An information processing system includes a first device and a second device. The first device generates first encrypted data by applying a first encryption with respect to the original data stored in a shared storage area, and causing the first encrypted data to be stored in the shared storage area. The second device generates second encrypted data by applying a second encryption with respect to the first encrypted data stored in the shared storage area, and causes the second encrypted data to be stored in the shared storage area. The first device deletes the original data and the first encrypted data from the shared storage area.

Abstract: After installation, a device may be asleep. A light signal device may send a message to the sleeping device to wake it up. This wake-up message may comprise the light signal device sending programmed light signals, the programmed light signals in modified morse code. An authentication part may also be included in the message. The light signal device may request an authentication message from the sleeping device.

Abstract: An intelligent trust enabler system for a 5G IoT (fifth-generation Internet of Things) environment includes: an IoT trust enabler mounted on an edge and gateway on a fifth-generation (5G) IoT infrastructure, for providing trust information based on data collected from IoT devices and performing operation and management of connected IoT resources; and an IoT trust agent for providing a legacy environment for the IoT trust enabler.

Abstract: Techniques for routing service mesh traffic based on whether the traffic is encrypted or unencrypted are described herein. The techniques may include receiving, from a first node of a cloud-based network, traffic that is to be sent to a second node of the cloud-based network and determining whether the traffic is encrypted or unencrypted. If it is determined that the traffic is encrypted, the traffic may be sent to the second node via a service mesh of the cloud-based platform. Alternatively, or additionally, if it is determined that the traffic is unencrypted, the traffic may be sent to the second node via an encrypted tunnel. In some examples, the techniques may be performed at least partially by a program running on the first node of the cloud-based network, such as an extended Berkeley Packet Filter (eBPF) program, and the like.

Abstract: Techniques are disclosed to obtain device posture of a third party managed device. In various embodiments, a unique identifier of the third party managed device is embedded in a registration communication sent from a third party managed device to an access node associated with a first party management entity. The registration communication is sent from the third party managed device to the access node. The access node is configured to store data associating the unique identifier with the third party managed device, and to use the unique identifier to obtain from the third party management entity device posture information for the third party managed device.

Abstract: An apparatus includes a CPU, a CPU boot ROM that stores a program to be executed by the CPU, a secure microcontroller that detects modification of the program, and a secure-microcontroller boot ROM that stores a recovery program for recovering the program in response to the secure microcontroller detecting modification of the program. The secure-microcontroller boot ROM is accessible from the secure microcontroller, and is not accessible from the CPU.

Abstract: The present disclosure relates to a trustworthy data exchange. Embodiments include receiving, from a device, a query, wherein the query comprises a question. Embodiments include identifying particular information related to the query. Embodiments include receiving credentials from a user for retrieving the particular information related to the query. Embodiments include retrieving, using the credentials, the particular information related to the query from one or more data repositories that are part of a distributed database comprising an immutable data store that maintains a verifiable history of changes to information stored in the distributed database. Embodiments include determining, based on the particular information related to the query, an answer to the query. Embodiments include providing the answer to the device.